Lessons for HR in Light of Data Breaches

With more data breaches occurring each year, is your IT department equipped to handle the aftermath?

On Aug. 18, 2014, Community Health Systems Inc.—one of the largest hospital systems in the country—said cyber thieves stole the Social Security numbers and other personal information of more than 4.5 million patients, according to news reports.

Earlier in August, 1.2 billion user names and passwords and 542 unique e-mail accounts were stolen by Russian hackers from 420,000 websites worldwide, according to The New York Times. Companies panicked, mostly because Hold Security, which discovered the breach, declined to identify the sites affected, citing confidentiality concerns.

Many companies have since scrambled to change passwords and review security protocols. But experts say repeated breaches of this nature should prompt human resource departments to make sure their IT staffs are capable of protecting their corner of the Internet kingdom.

The risk of a data breach is an ongoing problem for any company doing business online. In a 10-year study, the number of data breaches has risen to more than 5,900, according to Verizon’s 2014 Data Breach Investigations Report.

According to the ninth annual 2014 Cost of Data Breach Study: Global Analysis from research organization the Ponemon Institute, the average total cost of a data breach for companies participating in the study increased 15 percent in one year, to $3.5 million.

Experts say preventing data security breaches today requires forward-thinking. “It’s far more complex than just changing passwords,” said David Shearer, chief operating officer of International Information Systems Security Certification Consortium (ISC²), a nonprofit that certifies information and software security professionals worldwide. “We have to look at our personnel side and see what we need to be secure,” he said in a phone interview.

Shearer likened it to having a home security system. “You need to know your access points—windows, doors. You need to know where the weakest links are and what you can do to mitigate those risks. You have to do more than change passwords.”

What Should HR Do?

The most important thing, Shearer and other experts have said, is for HR practitioners to make sure they have theproper staff in place to handle such issues. If not, hire an expert to assess risk and address damage.

“Look for third-party, credible companies that come in and do a risk assessment to see the level of vulnerabilities that [you] may have,” Shearer said. “You have to understand your vulnerabilities first. Otherwise you run the risk of taking a piecemeal approach” to keeping your data secure.

Once a breach has been detected, Shearer said companies should determine how it occurred.

“Was this a failure of existing policies, principles, practices and procedures?” IT should look at the root cause of a breach. Ask: “‘Has someone done something that introduced a vulnerability?’” he said.

“If they understand how this happened then they can … develop the policies and training to ensure it doesn’t happen again.”

Assessing the internal team is important as well. “Was it a breakdown in the system or a mistake?” Or the problem may be that “you don’t have the right people operating your IT security program,” Shearer said.

“There really is no perfectly secure system, but with the right skills and training, you may reduce [your] odds. The chances of you not being compromised are far better.”

Just as you wouldn’t give your house keys to every neighbor on your block, HR should make certain the IT department strategy includes making sure only certain people have access to certain levels of data.

“Keep data on a need-to-know basis,” Verizon advised in its recent data breach report. Companies should limit staff access to only the systems needed to do their jobs. “And make sure that you have processes in place to revoke access when people change roles or leave.”

IT staff also needs to be aware of security risk trends ahead of news reports, experts say.

“Companies should definitely have their IT staff subscribe to security bulletins, and numerous sources will push information” about security issues to you, said Jonathan Villa, an information security consultant with 1030Tech, a security consultancy based in Milwaukee and Chicago. “They’ll tell you details about vulnerabilities, severity, how the breaches are being done—all IT departments should have a subscription to security bulletins; that way they know when their servers are vulnerable to exploits that are out there and from there they can execute a patching cycle,” to fix vulnerabilities.

Meanwhile, HR needs to continually assess its IT team’s capabilities. Here are some things every HR manager should keep in mind when improving policies on security and training for IT staff:

Forget passwords. Consider “pass phrases,” said Villa. Use the first letter of each word in a sentence to devise a password. “Something like, ‘I Was Born In Milwaukee’ [IWBIM], along with different characters and numbers. He said a phrase is easier for users to remember and harder for hackers to crack than a password. “The longer, the better.”

Use different pass phrases for different accounts.

Keep your money separate from your social media. Do not use the same passwords or pass phrases for any financial accounts (banks or credit cards) that you do for social media or other sites. “I have the same e-mail address for [all my] social media accounts, but different e-mails and different passwords for online banks and credit card accounts,” Villa said.

Review how you keep all records. Don’t keep any data in an unsecured file on your network or computer.

Keeping data in the cloud doesn’t relieve business leaders of liability if your data becomes compromised. Cloud service providers should “do their due diligence” in making sure your data is secure, but IT must do theirs to make sure those providers are doing their job.